Reports of a mass file injection attack were seen over the weekend. Upwards of 400,000 sites seem to have been affected so far by URLs that download a file that seems to be related to the Zlob trojan. Most of these sites seem to be running phpBB forum software. If you have the capability you may want to examine egress logs and/or blacklist the two URLs that are currently known to be distributors. Those URLs are:
hxxp://free.hostpinoy.info/f.js
hxxp://xprmn4u.info/f.js
A new version of the Mozilla Thunderbird Client was released today. The new version fixes a security issue that could allow JavaScript to escalate privileges and execute arbitrary code. It also fixes a crashing issue. If you use Thunderbird as your mail client it should be updated as soon as possible due to the mitigation of a security flaw.
Nothing like a disaster to bring out the crimeware.
Keep your eyes open for disaster and aid oriented phishing and trojan scams. There is likely to be the same types of attacks that we have seen with other disasters. We can expect everything from Trojan horses designed to look like headline update tools, phishing schemes asking for donations, basic client-side exploits from web and HTML emails and the usual myriad of outright fraud.
Basically, if you really want to help folks, drop by known and trusted organizations such as the Red Cross, etc.
Be on the look out for strange network activity as this is likely going to be a basis for growing the bot-nets by yet another expansion.
Attacks continue in the wild against ASP pages with SQL injection flaws. It appears that the worm is injection scripts and iframes into the webpages which then forwards users to another page with an exploit embedded. The exploits are believed to be based on recent Real Player vulnerabilities. take over visitors to the websites. It looks like the infection of user machines is by Real Player vulnerabilities that seem more or less detected pretty well. It’d be a good idea to make sure everyone has Real Player updated if it is installed as a precaution for users that may visit any infected site.
Windows XP Service Pack 3 has been released. This long awaited update to Windows XP offers some enhanced security features borrowed from Windows Vista and a few other things. Rolling out this service pack will also install all of the Windows updates released since service pack 2. Some of the enhancements in SP3 includes black hole router detection, network access protection, enhanced security for administrator and service policy entries, and a kernel mode cryptographic module.
Akamai Download Manager installs an ActiveX control if a user uses the ActiveX download manager. The ActiveX control will remain installed on the users computer until manually removed. A program execution vulnerabillity has been identified within this ActiveX control. This problem is due to two undocumented object parameters. By using these parameters in a malicous website, it is possible to cause the Download Manager to automatically download and execute arbitrary applications from malicious hosts.
Akamai has released a new version of the download manager to correct this issue. MicroSolved recommends updating to the newest version if you have ever used the Download Manager. It is also possible to manually remove the ActiveX control, or set the kill-bits for this control to disable it.
An unspecified vulnerability in the Java plug-in can allow an untrusted applet to gain escalated privileges. The vulnerability is known to exist in version 5.0.2. For full details see IBM’s advisory at:http://www-1.ibm.com/support/docview.wss?uid=swg1PK65161
A vulnerability in IBM Lotus Expeditor has been identified, which could be exploited to compromise a user’s system. The issue is that the application registers the “cai” URI handler, which allows launching rcplauncher.exe with arbitrary command line arguments. This can be exploited to execute arbitrary by having a user click on a malicous url link. It’s reported that Lotus Expeditor Client for Desktop versions 6.1.0, 6.1.2, and 6.1.2 are vulnerable. Contact IBM Support to request a patch to mitigate this issue.
Two new vulnerabilities have been identified in WordPress 2.5. The vulnerabilities could allow an attacker to conduct xss attacks, bypass some security restrictions, compromise the vulnerable system. The first vuln could allow an attacker to bypass the authentication mechanism by creating a cookie with certain settings.
The second vulnerability is caused by passing input to an unspecified parameter which is not properly sanitised by the server. This vulnerability can be exploited to execute arbitrary script code in a user’s browser session.
All users should update to the latest version of WordPress, version 2.5.1.
A double free vulnerability exists in perl 5.8.8. A result of a UTF8 crafted regular expression, this vulnerability could cause a denial of service on certain operating systems. This has not been fixed as of the time of this writing.
A curious vulnerability has been announced for Trillian 3.1 where a specially formed nickname can cause a buffer overflow in Windows. Very few details are available at this time, and an exploit hasn’t been released, but I wouldn’t expect it to be long before we see a real PoC.